


aS 


Federal Register/Vol. 83, No. 2/ Wednesday, January 3, 2018/Rules and Regulations 


239 











Docket No. 


Type 


Location Effective date 





USCG-—2016-0095 
USCG-2016—-0158 
USCG-2016-0401 
USCG-2016-0512 
USCG-2016-0548 
USCG-—2016—-0606 
USCG-—2016-0595 
USCG-2016-0631 
USCG-2016—-0475 
USCG-2016—0495 
USCG-2016-0637 





Safety Zones (Part 147 and 165) 
Special Local Regulation 
Safety Zones (Part 147 and 165) 
Special Local Regulations (Part 100) 
Security Zones (Part 165) 
Safety Zones (Part 147 and 165) 
Security Zones (Part 165) 
Safety Zones (Part 147 and 165) 
Special Local Regulation 
Special Local Regulations (Part 100) 
Safety Zones (Part 147 and 165) 


Buffalo, NY 


d 165) ... ms Chattanooga, TN 
Cincinnati, OH 
Clements, MI .... 
Medina, WA 


Aguada, PR 





Ironton, OH 





Lawrenceburg, IN . 


Triathlon, Ohio River .. 


offshore of Fitzpatrick . 


Chattanooga, TN . 








6/18/2016 
6/18/2016 
6/18/2016 
6/19/2016 
6/20/2016 
6/23/2016 
6/24/2016 
6/26/2016 
6/26/2016 
6/26/2016 
6/30/2016 








Dated: December 19, 2017. 
Katia Kroutil, 


Office Chief, Office of Regulations and 
Administrative Law. 


[FR Doc. 2017-28401 Filed 1—2—18; 8:45 am] 
BILLING CODE 9110-04—P 





DEPARTMENT OF HEALTH AND 
HUMAN SERVICES 


Office of the Secretary 


42 CFR Part 2 
[SAMHSA-4162-20] 
RIN 0930-ZA07 


Confidentiality of Substance Use 
Disorder Patient Records 


AGENCY: Substance Abuse and Mental 
Health Services Administration 
(SAMHSA), U.S. Department of Health 
and Human Services. 


ACTION: Final rule. 





SUMMARY: This final rule makes changes 
to the Substance Abuse and Mental 
Health Services Administration’s 
(SAMHSA) regulations governing the 
Confidentiality of Substance Use 
Disorder Patient Records. These changes 
are intended to better align the 
regulations with advances in the U.S. 
health care delivery system while 
retaining important privacy protections 
for individuals seeking treatment for 
substance use disorders. This final rule 
addresses the prohibition on re- 
disclosure notice by including an option 
for an abbreviated notice. This final rule 
also addresses the circumstances under 
which lawful holders and their legal 
representatives, contractors, and 
subcontractors may use and disclose 
patient identifying information for 
purposes of payment, health care 
operations, and audits and evaluations. 
Finally, this final rule is making minor 
technical corrections to ensure accuracy 
and clarity in SAMHSA’s regulations. 


DATES: Effective date: This final rule is 
effective February 2, 2018. 


Compliance dates: The compliance 
date for all provisions of this final rule, 
except for § 2.33(c), is February 2, 2018. 
As discussed in the preamble, contracts 
between lawful holders and contractors, 
subcontractors, and legal representatives 
must comply with § 2.33(c) within two 
years of the effective date of the final 
rule. 


FOR FURTHER INFORMATION CONTACT: 
Mitchell Berger, Telephone number: 
(240) 276-1757, Email address: 
PrivacyRegulations@samhsa.hhs.gov. 


SUPPLEMENTARY INFORMATION: 


I. Background 


On February 9, 2016, SAMHSA 
published a Notice of Proposed 
Rulemaking (NPRM) in the Federal 
Register (81 FR 6988), proposing 
updates to the Confidentiality of 
Alcohol and Drug Abuse Patient 
Records (42 CFR part 2) regulations. 
These regulations implement title 42, 
section 290dd—2 of the United States 
Code pertaining to the Confidentiality of 
Substance Use Disorder Patient Records 
held by certain substance use disorder 
treatment programs that receive federal 
financial assistance. As SAMHSA 
explained in that NPRM, it proposed to 
update these regulations, last 
substantively amended in 1987, to 
reflect development of integrated health 
care models and the use of electronic 
exchange of patient information. 
SAMHSA also wished to maintain 
confidentiality protections for patient 
identifying information, as persons with 
substance use disorders still may 
encounter significant discrimination if 
their information is improperly 
disclosed. 

On January 18, 2017, SAMHSA 
published a final rule (82 FR 6052). In 
response to public comments, the final 
rule provided for greater flexibility in 
disclosing patient identifying 
information within the health care 
system while continuing to address the 
need to protect the confidentiality of 
substance use disorder patient records. 
SAMHSA concurrently issued a 
supplemental notice of proposed 


rulemaking (SNPRM) (82 FR 5485) to 
solicit public comment on additional 
proposals including: The payment and 
health care operations-related 
disclosures that can be made to 
contractors, subcontractors, and legal 
representatives by lawful holders under 
the part 2 rule consent provisions; and 
the provisions governing disclosures for 
purposes of carrying out a Medicaid, 
Medicare or Children’s Health Insurance 
Program (CHIP) audit or evaluation. 
SAMHSA also solicited comments on 
whether an abbreviated notice of the 
prohibition on re-disclosure should be 
used and, if so, under what 
circumstances. 

SAMHSA received 55 comments on 
the SNPRM, and after considering those 
comments, is finalizing the proposed 
revisions, with some changes made in 
response to the public comments that 
were received. Some comments were 
outside the scope of the specific 
provisions SAMHSA proposed in the 
SNPRM or were inconsistent with 
SAMHSA’s legal authority regarding the 
confidentiality of substance use disorder 
patient records. This final rule does not 
address these comments. 


II. Discussion of Public Comments and 
Final Modifications to 42 CFR Part 2 


A. Align With HIPAA 
Public Comments 


SAMHSA received a number of 
comments regarding alignment of 42 
CFR part 2 with the Health Insurance 
Portability and Accountability Act 
(HIPAA) or the Health Information 
Technology for Economic and Clinical 
Health (HITECH) Act. Reasons cited by 
these commenters in support of aligning 
the regulations with HIPAA or HIPAA/ 
HITECH Act were to: (1) Promote 
information flow between providers, 
including a clinically complete patient 
record; (2) allow providers and 
administrators of services greater 
discretion; (3) facilitate interoperability; 
(4) improve compliance; (5) enhance 
privacy protections by making 
confidentiality restrictions more 
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uniform across health care settings; (6) 
promote more innovative models of 
health care delivery, including 
integrated and coordinated care, and 
value-based and population-based 
models; (7) establish uniform, workable 
regulations with respect to treatment, 
payment and operations; and (8) 
improve patient care and reduce stigma 
and potential harm to patients. 


SAMHSA Response 


SAMHSA has attempted to align this 
final rule with HIPAA, the HITECH Act, 
and their implementing regulations to 
the extent feasible, based on the 
proposed revisions in the SNPRM, the 
public comments received, and the 
limitations on SAMHSA’s authority in 
the governing statute, 42 U.S.C. 290dd— 
2. At the same time, it is important to 
note that part 2 and its authorizing 
statute are separate and distinct from 
HIPAA, the HITECH Act, and their 
implementing regulations. Part 2 
provides more stringent federal 
protections than other health privacy 
laws such as HIPAA and seeks to 
protect individuals with substance use 
disorders who could be subject to 
discrimination and legal consequences 
in the event that their information is 
improperly used or disclosed. To the 
extent feasible given these restrictions, 
SAMHSA continues to review these 
issues, plans to explore additional 
alignment with HIPAA, and may 
consider additional rulemaking for 42 
CFR part 2. 


B. Prohibition on Re-Disclosure (§ 2.32) 


In the SNPRM, SAMHSA sought 
comment on whether an abbreviated 
notice of the prohibition on re- 
disclosure should be included in § 2.32 
and on the circumstances under which 
such abbreviated notice should be used. 
The SNPRM provided an example of an 
abbreviated notice: “Data is subject to 
42 CFR part 2. Use/disclose in 
conformance with part 2.” SAMHSA 
has adopted an abbreviated notice that 
is 80 characters long to fit in standard 
free-text space within health care 
electronic systems. The abbreviated 
notice in this final rule reads ‘‘Federal 
law/42 CFR part 2 prohibits 
unauthorized disclosure of these 
records.” 


Public Comments 


Several commenters expressed 
support for the abbreviated notice of the 
prohibition on re-disclosure because it 
provides more flexibility and efficiency 
in meeting the notice requirement. 
Several supportive commenters 
suggested potential technical solutions 
for conveying the prohibition on re- 


disclosure, such as communicating part 
2 restrictions through codes, flags, pop- 
ups, or other signifiers. However, some 
of these commenters and others also 
explained that most of the suggestions 
are not technically feasible at this time, 
due to the lack of standardized 
electronic formats and transmission 
standards. One supportive commenter 
suggested SAMHSA work with the 
Department of Health and Human 
Services (HHS) and its agencies, 
including the Centers for Medicare & 
Medicaid Services (CMS), and the Office 
of Civil Rights (OCR), to explore 
whether HIPAA electronic transactions 
and code sets can be leveraged or 
modified to ‘‘flag’’ part 2 information 
and, once the recommendation becomes 
actionable, involve standard-setting 
bodies and the public. Several 
supportive commenters provided 
circumstances they thought were 
appropriate for an abbreviated notice of 
the prohibition on re-disclosure, 
including: (1) All electronic disclosures 
(because there may not currently be a 
standard mechanism to “‘flag”’ electronic 
information disclosures that are covered 
by part 2); (2) only paper disclosures; (3) 
limiting the use of the abbreviated 
notice to the exchange of records 
between part 2 programs (that would 
have familiarity with the concept of 
prohibition on re-disclosure); (4) 
exchange of records among part 2 
programs and other entities (including 
third-party payers, and other lawful 
holders); and (5) using a single 
abbreviated notice for all circumstances. 
A couple of commenters indicated that 
having the notice of prohibition on re- 
disclosure accompany disclosures, as 
required by § 2.32, is important for 
ensuring compliance with part 2. 

Commenters who opposed the 
abbreviated notice of the prohibition on 
re-disclosure expressed concerns that a 
shortened notice: (1) May be confusing 
or unclear to patients and professionals; 
(2) would fail to safeguard against 
unauthorized disclosures; and (3) would 
be insufficient to solve logistical 
concerns because, regardless of the 
length of the notice, systems will need 
to be put in place to tag substance use 
disorder information and send the 
notice with the information being 
disclosed. In addition, some 
commenters found the current notice to 
be sufficient. 

SAMHSA also received comments 
stating that the SNPRM provided 
insufficient information to either 
support or oppose the abbreviated 
notice of the prohibition on re- 
disclosure because: (1) The purpose of 
the abbreviated notice was not made 
clear; and (2) it was unclear whether 


SAMHSA considered the impact the 
proposed abbreviated notice would have 
on electronic health records formats, 
system design and software 
development for clinical medical 
records format, or the impact on 
required HIPAA Administrative 
transactions. One commenter stated that 
an abbreviated notice of the prohibition 
on re-disclosure must contain, at a 
minimum, a clear warning label to 
prevent misuse and should state that 
any misuse is illegal under 42 CFR part 
2. 


SAMHSA Response 


The 42 CFR part 2 regulations in 
effect since 1983 have required that a 
notice of the prohibition on re- 
disclosure accompany each disclosure 
made with the patient’s written consent. 
In the SNPRM, SAMHSA proposed the 
option of an abbreviated notice to satisfy 
the requirements of § 2.32 due to 
concerns about character limits in free- 
text fields within electronic health 
record systems. Specifically, many of 
the health care electronic systems have 
a standard maximum character limit of 
80 characters in the free text space that 
may be used to transmit this notice. 

While SAMHSA recognizes there may 
be technical issues to be resolved, after 
considering the totality of the 
comments, SAMHSA believes including 
an abbreviated notice of the prohibition 
on re-disclosure as an option will be 
beneficial to stakeholders, particularly 
those who use electronic health record 
systems to exchange data. However, 
because even commenters supporting 
inclusion of an abbreviated notice had 
differing views about the circumstances 
under which an abbreviated notice 
should be used, SAMHSA decided, 
consistent with its proposal, to allow 
use of an abbreviated notice in any 
instance in which a notice is required 
under the regulations. Recognizing 
concerns expressed by commenters that 
an abbreviated notice could be 
insufficient to convey understanding of 
part 2 requirements, SAMHSA 
encourages part 2 programs and other 
lawful holders using the abbreviated 
notice to discuss the requirements with 
those to whom they disclose patient 
identifying information. In response to 
comments received that the abbreviated 
notice did not provide an adequate 
warning against potential misuse of 
patient identifying information, 
SAMHSA, in this final rule, has 
modified the language in the 
abbreviated notice to more explicitly 
notify recipients that improper use or 
disclosure is prohibited under 42 CFR 
part 2. 
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C. Disclosures Permitted With Written 
Consent (§ 2.33) 


In the SNPRM, SAMHSA proposed to 
explicitly list under § 2.33(b), specific 
types of activities for which any lawful 
holder of patient identifying 
information would be allowed to further 
disclose the minimal information 
necessary for specific payment and 
health care operations activities. 
SAMHSA proposed new regulatory text 
under § 2.33(c) that would require 
lawful holders that engage contractors 
and subcontractors to carry out payment 
and health care operations activities that 
entail the use or disclosure of patient 
identifying information to include 
specific contract provisions addressing 
compliance with part 2. In this final 
rule, SAMHSA finalizes the scope and 
requirements for permitted disclosures 
to contractors, subcontractors, and legal 
representatives for the purpose of 
payment and health care operations. 
SAMHSA does not retain the proposed 
list of payment and health care 
operations in the regulatory text and 
instead, moves this list to the preamble 
section of the final rule to serve as 
illustrative examples of permissible 
payment and health care operations 
activities. In addition, consistent with 
SAMHSA’s prior statement in the 
SNPRM preamble, SAMHSA adds 
language to the regulatory text in 
§ 2.33(b) to clarify that disclosures to 
contractors, subcontractors, and legal 
representatives are not permitted for 
substance use disorder patient 
diagnosis, treatment, or referral for 
treatment. SAMHSA finalizes § 2.33(c) 
in relation to contract language 
referencing compliance with 42 CFR 
part 2 and the protections of part 2 
patient identifying information, but 
does not retain the proposed reference 
to permitted uses of patient identifying 
information consistent with the written 
consent. 


1. Disclosures by Lawful Holders 
Public Comments 


In response to SAMHSA’s request for 
comments on proposed revisions to 
§ 2.33, SAMHSA received a number of 
comments supporting its proposal in 
§ 2.33 to clarify that lawful holders of 
patient identifying information may 
disclose the minimum amount of 
information necessary to contractors, 
subcontractors, and legal representatives 
for payment and health care operations 
purposes. Several commenters cited 
practical concerns with the policy as 
stated in the January 18, 2017, final rule, 
including: (1) It is unrealistic to assume 
that lawful holders of patient 
identifying information such as third- 


party payers have the expertise and 
resources to carry out certain payment 
and health care operations without the 
assistance of contractors; (2) it is often 
not feasible to specify each contractor 
on a part 2 consent form; and (3) 
specifying contractors on a part 2 
consent form unreasonably restricts a 
lawful holder from changing 
contractors. One commenter observed 
that essential payment and operations 
activities directly or indirectly benefit 
patients (e.g., by ensuring access to and 
coverage of treatment). One commenter 
supported the proposal because it 
further aligns part 2 with HIPAA, while 
another commenter expressed support 
for this or any proposal that would 
reduce the time and expense incurred 
by part 2 programs when seeking and 
obtaining patient consent where not 
necessary. 


SAMHSA Response 


In the SNPRM, SAMHSA proposed 
clarifications to the final regulations 
issued on January 18, 2017, where they 
appeared to be needed, based on public 
comment. SAMHSA appreciates the 
support it received for clarifying the 
part 2 regulations. SAMHSA is 
finalizing those clarifications as 
proposed in § 2.33(b) except for the list 
of 17 specific types of payment and 
health care operations activities for 
which any lawful holder of patient 
identifying information would be 
allowed to further disclose to 
contractors, subcontractors, and legal 
representatives. As discussed below, 
this list of activities is being included in 
the preamble, rather than in regulatory 
text, in order to make clear that it is an 
illustrative rather than exhaustive list of 
the types of payment and health care 
operations activities that would be 
acceptable to SAMHSA. By removing 
the list from the regulatory text, 
SAMHSA intends for other appropriate 
payment and health care operations 
activities to be permitted under § 2.33 as 
the health care system continues to 
evolve. In addition, consistent with 
SAMHSA’s prior statement in the 
SNPRM preamble, SAMHSA has added 
language to the regulatory text in 
§ 2.33(b) to clarify that disclosures to 
contractors, subcontractors, and legal 
representatives are not permitted for 
activities related to a patient’s diagnosis, 
treatment, or referral for treatment. 


Public Comments 


SAMHSA also received numerous 
comments opposing its proposal in 
§ 2.33. The majority of these 
commenters were opposed to the 
changes because SAMHSA had not 
specified additional safeguards that 


would apply in connection with the 
disclosures. Some commenters 
expressed concern that the changes 
were too broad or would undermine 
overall part 2 protections. One 
commenter expressed concern that the 
risk of breaches might increase by 
permitting additional disclosures to 
facilitate health care operations. Several 
commenters noted that the revisions in 
§ 2.33(b) would permit lawful holders 
greater latitude in sharing information 
with entities than would be afforded to 
patients. These commenters found that 
the revisions would permit patients to 
consent to sharing patient identifying 
information with lawful holders, who 
then are permitted to re-disclose that 
information to contractors, 
subcontractors, or legal representatives 
without notifying the patient. 
Conversely, patients would be 
prohibited from consenting to disclose 
patient identifying information to 
entities with whom they do not have a 
treating provider relationship without 
further designating an individual 
participant in that entity. As a result, 
these commenters questioned 
SAMHSA’s intent for this proposal. 
One commenter thought the SNPRM 
did not provide sufficient information to 
respond to the proposed § 2.33 because 
of the similarity of contractors and 
subcontractors with qualified service 
organizations (QSOs) under §§ 2.11 and 
2.12, and the similarity to Business 
Associates under HIPAA. The 
commenter requested clarification on 
whether it is SAMHSA’s intent to 
directly apply part 2 to these contractors 
and subcontractors in a manner similar 
to what was accomplished under the 
HIPAA Privacy and Security Rules for 
Business Associates of covered entities. 


SAMHSA Response 


SAMHSA is seeking a balance 
between protecting the confidentiality 
of substance use disorder patient 
records and ensuring that the 
regulations do not pose a barrier to 
patients with substance use disorders 
who wish to participate in, and could 
benefit from, emerging health care 
models that promote integrated care and 
patient safety. Unauthorized disclosure 
of substance use disorder patient 
records can lead to a host of negative 
consequences, including loss of 
employment, loss of housing, loss of 
child custody, discrimination by 
medical professionals and insurers, 
arrest, prosecution, and incarceration. 
The purpose of the part 2 regulations is 
to ensure that a patient is not made 
more vulnerable by reason of the 
availability of their patient record than 
an individual with a substance use 
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disorder who does not seek treatment. 
SAMHSA recognizes the legitimate 
needs of lawful holders of patient 
identifying information to disclose that 
information to their contractors, 
subcontractors, and legal representatives 
for purposes of payment and health care 
operations as long as the core 
protections of 42 CFR part 2 are 
maintained. SAMHSA notes that the 
part 2 regulations already state at 

§ 2.13(a): “. . . Any disclosure made 
under the regulations in this section 
must be limited to that information 
which is necessary to carry out the 
purpose of the disclosure.’’ This 
provision helps to ensure that 
information is not shared more broadly 
than the purpose(s) for which the 
patient consents. With respect to the 
comment that proposed revisions in 

§ 2.33(b) would provide lawful holders 
greater latitude in sharing information 
with entities for payment and health 
care operations purposes than would be 
afforded to patients, SAMHSA 
acknowledges this concern and will be 
convening a stakeholder meeting 
relative to part 2 as required by the 21st 
Century Cures Act (Pub. L. No: 114— 
255). 

Finally, it is not SAMHSA’s intent to 
apply part 2 to contractors and 
subcontractors in a manner similar to 
what was accomplished under the 
HIPAA Privacy and Security Rules for 
Business Associates in accordance with, 
respectively, sections 13404(a) and 
13401(a) of the HITECH Act, 42 U.S.C. 
17934(a), 17931(a). SAMHSA has 
attempted to align part 2 with HIPAA in 
this final rule to the extent such changes 
are permissible under 42 U.S.C. 290dd— 
2. Moreover, as discussed previously, 
SAMHSA plans to explore additional 
alignment with HIPAA and is 
considering additional rulemaking for 
42 CFR part 2. 

At the same time, part 2 and its 
authorizing statute are separate and 
distinct from HIPAA, the HITECH Act, 
and their implementing regulations. 
Because of its targeted population, part 
2 and its authorizing statute provides 
more stringent federal protections than 
other health privacy laws, including the 
HIPAA Rules, in order to encourage 
individuals with substance use 
disorders to seek treatment. 


Public Comments 


Several commenters proposed an 
alternative approach to the proposed 
changes in § 2.33, which would instead 
allow lawful holders to contract with 
QSOs, just as part 2 programs currently 
do. One such commenter proposed that, 
instead of an explicit list of activities, 

§ 2.33(b) should include a general 


statement that an entity that lawfully 
receives patient identifying information 
under a valid part 2 consent may 
disclose the information to its contractor 
under a QSO agreement (QSOA) if such 
disclosure is reasonably consistent with 
the terms of the consent. This 
commenter also proposed to revise the 
QSO definition to align it more closely 
with the HIPAA “business associate” 
concept. Two commenters questioned 
the distinction between the needs of 
part 2 programs and other lawful 
holders to engage third parties for 
operational assistance and requested 
that the QSO definition simply include 
lawful holders in the list of entities for 
which a QSO may provide services. One 
of these commenters stated that this 
alternative approach would give 
patients a choice and align better with 
patients’ expectations without adding 
another layer of complexity. 


SAMHSA Response 


SAMHSA declines to implement the 
suggested alternative approaches. 
SAMHSA agrees there are similarities 
between contractors under § 2.33(b) and 
QSOs. However, SAMHSA did not 
propose in the SNPRM to revise the 
provision on QSOs. 


2. List of Payment and Health Care 
Operations Activities 


In the SNPRM, SAMHSA sought 
public comment on whether the 
proposed listing of permitted activities 
is adequate and appropriate to ensure 
the health care industry’s ability to 
conduct necessary payment and health 
care operations, while still maintaining 
adequate confidentiality of substance 
use disorder patient records. SAMHSA 
also sought comment on the specific 
types of activities for which a lawful 
holder of patient identifying 
information would be allowed to further 
disclose the minimal information 
necessary for specific payment and 
health care operations activities 
described in the SNPRM. Further, 
SAMHSA requested public comment on 
additional purposes for which lawful 
holders should be able to disclose 
patient identifying information. 
SAMHSA is finalizing the clarifications, 
as proposed in § 2.33, but now includes 
the list of 17 specific types of payment 
and health care operations as illustrative 
examples in the preamble rather than 
the regulatory text. 


Public Comments 


Many commenters responded to 
SAMHSA’s requests for comments on 
whether the proposed list of explicitly 
permitted payment and health care 
operations activities is adequate and 


appropriate. Several commenters 
expressly supported the list of payment 
and operations activities included in the 
SNPRM. One commenter stated that the 
proposed 17 categories of payment and 
operations activities are essential to 
allowing third-party payers and other 
lawful holders to reasonably operate. 
Another commenter observed that the 
proposed payment and health care 
operations activities represent 
significant progress toward SAMHSA’s 
stated goal of modernizing 42 CFR part 
2 to increase opportunities for 
individuals with substance use 
disorders to participate in new and 
emerging health care models and health 
information technology. 

Numerous commenters recommended 
that care coordination and case 
management be added to the list, noting 
the importance of these services in the 
operational and treatment 
responsibilities in serving patients, 
including those with a dual diagnosis of 
mental health and substance use 
disorder. Conversely, several 
commenters recommended that 
SAMHSA include a statement in the 
regulatory text explicitly excluding care 
coordination and case management from 
§ 2.33(b). Another commenter also 
stated that disclosures to contractors, 
subcontractors, and legal representatives 
should not include information 
concerning diagnosis, treatment and/or 
referral to treatment without a patient’s 
express consent. 

Several commenters were confused 
by, or disagreed with, SAMHSA’s 
omission of treatment-related activities 
such as care coordination and case 
management from the list of payment 
and health care operations activities for 
which additional disclosures were 
proposed in the SNPRM. One such 
commenter stated that it was unclear 
why a contractor performing a 
treatment-related activity should be 
subject to greater confidentiality 
safeguards (e.g., specific consent) than 
an entity performing a payment or 
business-related activity. Others thought 
the benefits of care coordination 
outweighed any risk of including it on 
the list of permitted activities because 
SAMHSA also included on the list 
patient safety activities, which are 
inextricably linked to care coordination 
and case management. Another 
commenter, stating that health 
information technology and health 
information exchange are essential 
building blocks of integrated care, 
argued that the exclusion of care 
coordination and case management from 
permitted health care operations would 
make it extremely difficult for state 
Medicaid agencies, managed care 
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organizations (MCOs), and providers to 
use this technology to provide high 
quality, integrated care. One commenter 
pointed out that third-party payers, to 
which disclosure would be permitted 
under the SNPRM, may perform care 
coordination and case management 
activities as well as payment and health 
care operations activities. 

SAMHSA also received comments 
requesting a variety of additions to the 
list of permitted activities. In addition, 
SAMHSA received comments 
requesting clarification of some of the 
activities included on the list. Finally, 
two commenters observed that the rapid 
changes occurring in the health care 
payment and delivery system may make 
any list of permitted activities included 
in the final rule outdated very quickly. 

A few commenters disagreed with 
including in the regulatory text a list of 
permitted payment and health care 
operations activities. One commenter 
thought SAMHSA should be more 
protective of vulnerable patients 
because the list was seen as a loophole 
that would result in patient identifying 
information being spread beyond the 
immediate point of care and being used 
in unforeseen ways. For consistency, 
one commenter requested that SAMHSA 
replicate HIPAA’s definition of payment 
at 45 CFR164.501 for the purpose of 
collection activities under proposed 
§ 2.33(b)(1). 

SAMHSA also received a number of 
comments requesting that certain 
activities on the list of payment and 
health care operations activities be 
restricted or narrowed. A number of 
commenters requested that SAMHSA 
remove or narrow proposed § 2.33(b)(15) 
& (16) to ensure patients’ protected 
substance use disorder information will 
not be used to limit or deny insurance 
coverage or access to health care. Some 
commenters expressed concern that the 
proposed § 2.33(b)(2) could be 
interpreted as allowing protected 
information to be disclosed to 
employers. Many of these commenters 
stated they did not support the 
SNPRM’s proposed changes in general, 
or SAMHSA’s proposal to permit lawful 
holders to disclose patient identifying 
information obtained pursuant to 
patient consent to contractors, 
subcontractors, and legal representatives 
for payment and health care operations 
purposes, in particular, without further 
protections and safeguards. Two 
commenters disagreed with the 
inclusion of five of the proposed 
activities (§§ 2.33(b)(6), 2.33(b)(10), 
2.33(b)(12), 2.33(b)(15), and 2.33(b)(16)) 
because they could adversely affect 
patient enrollment in health plans and 


determinations regarding insurability, 
treatment, and eligibility. 

Several commenters also requested 
additional protections to ensure lawful 
holders and their contractors, 
subcontractors, and legal representatives 
only use information protected under 
part 2 for the purposes listed in the 
patient’s written consent. 


SAMHSA Response 


While SAMHSA is finalizing the 
clarifications as proposed in § 2.33, 
SAMHSA is not including the list of 17 
specific types of payment and health 
care operations in the regulatory text 
that would be the basis for further 
disclosures by a lawful holder of patient 
identifying information. Based on the 
numerous comments received 
requesting additions or clarifications to 
the list, as well as concerns that the 
rapid changes occurring in the health 
care payment and delivery system could 
render any list of activities included in 
the regulatory text outdated, SAMHSA 
has decided to include the list in the 
preamble of this final rule to illustrate 
the types of permissible payment and 
health care operations activities. 

Examples of permissible activities 
under § 2.33(b) that SAMHSA considers 
to be payment and health care 
operations activities include: 

e Billing, claims management, 
collections activities, obtaining payment 
under a contract for reinsurance, claims 
filing and related health care data 
processing; 

e Clinical professional support 
services (e.g., quality assessment and 
improvement initiatives; utilization 
review and management services); 

e Patient safety activities; 

e Activities pertaining to: 

e The training of student trainees and 
health care professionals; 

e The assessment of practitioner 
competencies; 

e The assessment of provider and/or 
health plan performance; and 

e Training of non-health care 
professionals; 

e Accreditation, certification, 
licensing, or credentialing activities; 

e Underwriting, enrollment, premium 
rating, and other activities related to the 
creation, renewal, or replacement of a 
contract of health insurance or health 
benefits, and ceding, securing, or 
placing a contract for reinsurance of risk 
relating to claims for health care; 

e Third-party liability coverage; 

e Activities related to addressing 
fraud, waste and abuse; 

e Conducting or arranging for medical 
review, legal services, and auditing 
functions; 

e Business planning and 
development, such as conducting cost- 


management and planning-related 
analyses related to managing and 
operating, including formulary 
development and administration, 
development or improvement of 
methods of payment or coverage 
policies; 

e Business management and general 
administrative activities, including 
management activities relating to 
implementation of and compliance with 
the requirements of this or other statutes 
or regulations; 

e Customer services, including the 
provision of data analyses for policy 
holders, plan sponsors, or other 
customers; 

e Resolution of internal grievances; 

e The sale, transfer, merger, 
consolidation, or dissolution of an 
organization; 

e Determinations of eligibility or 
coverage (e.g. coordination of benefit 
services or the determination of cost 
sharing amounts), and adjudication or 
subrogation of health benefit claims; 

e Risk adjusting amounts due based 
on enrollee health status and 
demographic characteristics; 

e Review of health care services with 
respect to medical necessity, coverage 
under a health plan, appropriateness of 
care, or justification of charges. 

This list of payment and health care 
operations is substantively unchanged 
from that which was proposed as 
regulatory text in the SNPRM published 
on January 18, 2017. In this final rule, 
SAMHSA maintains its position that the 
payment and health care operations 
activities referenced in § 2.33 and listed 
in the preamble are not intended to 
encompass substance use disorder 
patient diagnosis, treatment, or referral 
for treatment. SAMHSA believes it is 
important to maintain patient choice in 
disclosing information to health care 
providers with whom patients have 
direct contact. For this reason, the final 
provision in § 2.33(b) is not intended to 
cover care coordination or case 
management and disclosures to 
contractors, subcontractors, and legal 
representatives to carry out such 
purposes are not permitted under this 
section. In addition, SAMHSA added 
language to the regulatory text in 
§ 2.33(b) to clarify that disclosures to 
contractors, subcontractors and legal 
representatives are not permitted for 
activities related to a patient’s diagnosis, 
treatment, or referral for treatment. 
SAMHSA notes that the position 
articulated in this final rule differs from 
the HIPAA Privacy Rule, under which 
‘health care operations’ encompasses 
such activities as case management and 
care coordination. However, SAMHSA 
appreciates the concerns expressed by 
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some commenters about such issues as 
the exclusion of care coordination and 
case management from § 2.33(b). 
SAMHSA also appreciates comments 
received concerning potential risks of 
including care coordination, case 
management and other activities in 

§ 2.33(b). Consistent with the 21st 
Century Cures Act, prior to March 21, 
2018, the Secretary of HHS will convene 
relevant stakeholders to determine the 
effects of 42 CFR part 2 on patient care, 
health outcomes, and patient privacy. 
This meeting will provide stakeholders 
with an additional opportunity to 
provide further input to SAMHSA 
regarding implementation of part 2, 
including changes adopted in this final 
rule. 


3. Contract Provisions for Disclosures 
Under Proposed § 2.33(c) 


SAMHSA proposed new regulatory 
text requiring that lawful holders that 
engage contractors and subcontractors to 
carry out payment and health care 
operations that require using or 
disclosing patient identifying 
information include specific contract 
provisions requiring contractors and 
subcontractors to comply with the 
provisions of part 2. SAMHSA is 
finalizing this proposal except that it is 
not requiring that the contract specify 
the permitted uses of patient identifying 
information by the contractor, 
subcontractor, or legal representative. 
An appropriate comparable legal 
instrument will suffice in cases where 
there is otherwise no contract between 
the lawful holder and a legal 
representative who is retained 
voluntarily; when a legal representative 
is required to represent the lawful 
holder by law, the requirement for a 
contract or comparable legal instrument 
in § 2.33(c) shall not apply. 


Public Comments 


SAMHSA received several comments 
expressing general support for the 
proposed provisions in § 2.33(c) relating 
to contracts or legal agreements between 
lawful holders and their contractors, 
subcontractors, and legal 
representatives. One of these 
commenters agreed that limits should be 
placed on disclosures to contractors, 
such as allowing disclosure of only the 
minimum patient identifying 
information necessary for specific 
payment or health care operations. 

A number of commenters, however, 
opposed including specific contract 
requirements in § 2.33(c) between 
lawful holders and their contractors 
requiring compliance with part 2. Many 
of these commenters stated that this 
provision would impose significant 


contract amendment burdens industry- 
wide and would be disruptive to 
business relationships. Commenters 
noted that business associate 
agreements under HIPAA as well as 
many contracts already require 
compliance with all applicable federal 
and state laws, which would include 
part 2. Some commenters requested that 
contract provisions requiring 
compliance with applicable federal laws 
and regulations be deemed as satisfying 
the requirement of proposed § 2.33(c) 
even if part 2 is not specifically 
mentioned. One commenter stated that 
contracts typically specify the purposes 
for which the contractor may use any 
confidential information and so it is not 
necessary to require language on 
specific permitted uses and disclosure 
of patient identifying information. 

Some commenters stated that § 2.33(c) 
should not be included in future 
rulemaking. One such commenter 
requested that SAMHSA provide 
evidence that current contract language 
is not adequately addressing part 2 uses 
and disclosures by those entities 
specified in § 2.33(c). Another 
commenter requested that SAMHSA 
explore leveraging information 
technology to identify more efficient 
ways for patients to consent to 
disclosure. This commenter also 
recommended that SAMHSA conduct 
an assessment or promulgate an 
Advanced Notice of Proposed 
Rulemaking to solicit information to 
determine the adequacy of existing 
contracts or business processes to 
address information disclosures with 
contracted entities. Several commenters 
stated that SAMHSA could address 
concerns with an extension, by 
regulation, of the part 2 protections to 
any entity handling the information 
disclosed via consent. 

SAMHSA received comments that 
asked that that the language in proposed 
§ 2.33(c) be modified to allow the 
patient identifying information 
safeguards to be spelled out in the 
contract and/or business associates 
agreement. 


SAMHSA Response 


SAMHSA is finalizing § 2.33(c) as 
proposed, but has revised the regulatory 
text to remove the reference to patient 
consent as it relates to the requirement 
to specify permitted uses of patient 
identifying information by the 
contractor, subcontractor, or legal 
representative. However, SAMHSA 
notes that § 2.13 requires that any 
disclosure made under the regulations 
must be limited to that information 
which is necessary to carry out the 
purpose of the disclosure. Therefore, to 


comply with § 2.13, lawful holders 
should ensure that the purpose section 
of the consent form is consistent with 
the role of or services provided by the 
contractor or subcontractor (e.g., 
“‘payment and health care operations’’). 

SAMHSA understands the concerns 
expressed by commenters regarding 
bringing contracts into compliance with 
§ 2.33(c). To address these concerns, the 
final rule allows lawful holders two 
years from the effective date of the final 
rule to bring their contracts and legal 
agreements with contractors, 
subcontractors, and voluntary legal 
representatives into compliance. If 
lawful holders choose not to re-disclose 
patient identifying information to 
contractors, subcontractors, or legal 
representatives as specified under 
§ 2.33(b), they do not have to comply 
with § 2.33(c). 

SAMHSA disagrees with comments 
that propose allowing existing 
contractual language regarding general 
compliance with applicable federal laws 
to satisfy requirements under § 2.33(c). 
SAMHSA believes that it is important 
for part 2 to be specifically mentioned 
in contracts and legal agreements when 
lawful holders are disclosing part 2 
patient identifying information to 
contractors, subcontractors and 
voluntary legal representatives under 
§ 2.33(b). A fundamental principle of 42 
CFR part 2 is that patients should have 
as much control as possible over their 
patient identifying information. 
Referencing part 2 in contracts will help 
to underscore the importance of 
compliance with part 2 provisions. 

However, SAMHSA also recognizes 
that entities may have different 
approaches to ensuring compliance with 
part 2 and other laws. While SAMHSA 
requires compliance with § 2.33(c) for 
lawful holders who wish to disclose 
patient identifying information pursuant 
to § 2.33(b), SAMHSA is not specifying 
the exact contract language to be used. 

With respect to the comment 
regarding limiting disclosures to the 
minimum information necessary, § 2.13 
requires that any disclosure made must 
be limited to that information which is 
necessary to carry out the purpose of the 
disclosure. Contractors, subcontractors, 
and legal representatives will be 
required to comply with this and all 
applicable provisions under part 2. 
(Section 2.33(c) states that contractors 
and any subcontractors or legal 
representatives are fully bound by the 
provisions of part 2 upon receipt of 
patient identifying information). 


Public Comments 


One commenter requested that 
SAMHSA remove the following 
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sentence from § 2.33(c): “In making 
such disclosure, the lawful holder 
should specify permitted uses of patient 
identifying information consistent with 
the written consent, by the contractor 
and any subcontractors or legal 
representatives to carry out the payment 
and health care operations activities 
listed in the preceding subparagraph, 
require such recipients to implement 
appropriate safeguards to prevent 
unauthorized uses and disclosures and 
require such recipients to report any 
unauthorized uses, disclosures, or 
breaches of patient identifying 
information to the lawful holder.”’ 
Commenters stated that lawful holders 
will not possess the written consent 
because it is typically held by the part 
2 program and it would be impractical, 
if not impossible, for the written 
consent form to be passed on to other 
entities. Another commenter stated that 
mechanisms for transmitting written 
consent forms had yet to evolve. 

A commenter stated that a prohibition 
on re-disclosure notice under § 2.32 
should not be required when a 
disclosure from a contractor that is a 
cloud services provider is back to the 
lawful holder or is disclosed under the 
direction or control of the lawful holder 
because the cloud service provider 
would not have control over the 
disclosure and therefore could not 
accompany the disclosure with a notice 
related to § 2.32 and suggested 
alternative language. 

Other commenters supported the 
provisions in proposed § 2.33(c) but 
specified additional safeguards that 
should be added or referenced. Several 
commenters requested that SAMHSA 
include another requirement in 
proposed § 2.33(c) that contractors, 
subcontractors, and legal representatives 
be bound by all of the requirements that 
apply to QSOs, as QSOs and contractors 
serve similar functions. These 
commenters stated that written 
contracts under proposed § 2.33(c), 
therefore, would require contractors, 
subcontractors, and legal representatives 
to agree to resist in judicial proceedings 
any efforts to obtain access to patient 
records identifying information related 
to substance use disorder diagnosis, 
treatment, or referral for treatment 
except as permitted by part 2. These 
commenters also expressed opposition 
to the SNPRM’s proposed changes in 
general or SAMHSA’s proposal to 
permit lawful holders to disclose patient 
identifying information obtained 
pursuant to patient consent to 
contractors, subcontractors and legal 
representatives, including for payment 
and health care operations purposes, 
without these and other protections. 


One commenter stated that a List of 
Disclosures requirement for lawful 
holders who wish to re-disclose patient 
identifying information to contractors, 
subcontractors, and legal representatives 
should be included in contractual 
language. 

One commenter requested that 
SAMHSA require in the contractual text 
that contractors, subcontractors, and 
legal representatives use protected 
substance use disorder information only 
for the purpose(s) listed in the patient’s 
written consent and that re-disclosure 
by contractors, subcontractors, and legal 
representatives to third parties be 
allowed only as long as the third party 
discloses the patient identifying 
information back to the contractors or 
lawful holders from which the 
information originated. 


SAMHSA Response 


SAMHSA declines to provide specific 
and detailed contract language because 
SAMHSA believes lawful holders need 
the flexibility to include language that 
fits within their contract structures. 
However, regardless of the specific 
contractual language used, all lawful 
holders, contractors, subcontractors, and 
legal representatives must comply with 
applicable requirements specified in 
§ 2.33(c) as well as the other applicable 
provisions in part 2. 

SAMHSA does not require that part 2 
consent forms be passed along to the 
contractor or subcontractor. SAMHSA 
has revised the regulatory text in 
§ 2.33(c) to remove the reference to 
patient consent as it relates to the 
requirement to specify permitted uses of 
patient identifying information by the 
contractor, subcontractor, or legal 
representative. However, § 2.13 requires 
that any disclosure made under the 
regulations must be limited to that 
information which is necessary to carry 
out the purpose of the disclosure. 
Therefore, to comply with § 2.13, part 2 
programs and other lawful holders 
should ensure that the purpose section 
of the consent form is consistent with 
the role of or services provided by the 
contractor or subcontractor (e.g., 
“payment and health care operations’’). 
Those utilizing contractors or 
subcontractors should then inform those 
parties in their contracts that 
information governed by part 2 requires 
the contractor or subcontractor to take 
reasonable steps to prevent 
unauthorized uses and disclosures and 
to inform the lawful holder of any 
breaches and/or unauthorized uses. Ifa 
contractor receives information for 
quality assurance purposes, for instance, 
they should not be sharing it for other 
purposes, much less for activities not 


related to payment and health care 
operations. Section § 2.33(c) specifies 
the requirements of a written contract; 
it is up to the lawful holder and 
contractor to determine how their 
contracts should address these 
requirements. 


With regard to cloud service providers 
storing patient identifying information 
for a lawful holder, SAMHSA declines 
to make the suggested changes to the 
language in § 2.33(c). Under § 2.33, 
lawful holders, contractors and their 
subcontractors are responsible for 
providing a prohibition on re-disclosure 
notice (§ 2.32) if they re-disclose patient 
identifying information to their 
contractors in order to meet the 
requirements of § 2.33. If other entities 
access the information as permitted by 
the lawful holder (because the other 
entities that gain access to the 
information via the cloud are 
contractors with the lawful holder 
(§ 2.33) and not the cloud services 
provider, or to fulfill the requirements 
on the written consent (§ 2.31), then the 
lawful holder (not the cloud service 
provider) is responsible for ensuring 
that a notice of the prohibition on re- 
disclosure is conveyed to those entities, 
along with the information. 


Regardless of the specific contractual 
language used, all lawful holders, 
contractors, subcontractors, and legal 
representatives must comply with 
requirements specified in § 2.33(c) as 
well as the other applicable provisions 
in part 2. Therefore, with respect to the 
comments on contractors, 
subcontractors, and legal representatives 
resisting disclosure of patient records in 
judicial proceedings, SAMSHA notes 
that § 2.13(a) already states: ‘““The 
patient records subject to the regulations 
in this part may be disclosed or used 
only as permitted by the regulations in 
this part and may not otherwise be 
disclosed or used in any civil, criminal, 
administrative, or legislative 
proceedings conducted by a federal, 
state or local authority.” In addition, 

§ 2.13(a) already requires that any 
disclosures must be limited to the 
information which is necessary to carry 
out the purpose of the consent. In 
response to the request that the contract 
require compliance with the security 
requirements, § 2.16, Security for 
Records, already applies to part 2 
programs and other lawful holders of 
patient identifying information, and, 
therefore, would apply to contractors, 
subcontractors, and legal 
representatives. 
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4. Other Comments Concerning 
Disclosures by Lawful Holders 


Public Comments 


SAMHSA received a number of 
comments relative to Medicaid agencies 
and MCOs with which they contract; the 
commenters stated that MCOs are 
considered to be an extension of the 
Medicaid agency. Several of these 
commenters requested clarification that, 
under § 2.33(b), MCOs (one commenter 
noted that such organizations are called 
coordinated care organizations in that 
state) may disclose patient identifying 
information for health care operations 
and payment purposes to the state 
agency with which the organization is 
under contract. One commenter 
requested clarification that under 
§ 2.33(b) lawful holders may disclose 
patient identifying information to the 
state Medicaid agency with which they 
are contracted. Another commenter 
requested that that this provision 
explicitly permit disclosures between 
managed care organizations, their 
contractors and a Medicaid program. 
Similarly, a commenter also pointed out 
that proposed § 2.33(b) would only 
allow a lawful holder to disclose to its 
own contractors and subcontractors, 
which would not relieve the 
administrative obstacles part 2 
providers experience when trying to 
obtain insurance coverage for their 
patients because the part 2 programs 
would have to deal directly with a peer 
reviewer or utilization review company 
that is a subcontractor to the insurance 
company named on the consent form. 


SAMHSA Response 


With regard to the comments on 
Medicaid agencies and the managed 
care organizations with which they 
contract, as well as those addressing 
administrative obstacles contractors 
may face in obtaining patient 
identifying information, the information 
can be disclosed directly to the 
contractor or subcontractor and does not 
need to first be disclosed to the lawful 
holder (i.e., recipient named on the 
consent form) and then subsequently re- 
disclosed, as long as the information is 
being used for the purposes of payment 
and health care operations. This is 
because contractors, legal 
representatives, and subcontractors are 
acting on behalf of the lawful holders 
based on contracts, legal agreements or 
mandates in law. 


Public Comments 


Two commenters, pointing to the 
varying definitions for “contractors” 
and “subcontractors” under different 


laws and regulations, requested that 
SAMHSA consider defining these terms. 


SAMHSA Response 


SAMHSA did not propose to define 
“contractors” and “subcontractors” in 
its proposed rule and declines to do so 
now in the final rule. As stated in 
§ 2.33(c), lawful holders who wish to 
disclose patient identifying information 
pursuant to subsection (b) of this section 
must enter into a written contract with 
the contractor (or appropriate 
comparable legal instrument in the case 
of a legal representative retained 
voluntarily by the lawful holder). In the 
case where there is a legal 
representative who is required to 
represent the lawful holder by law, the 
requirement for a contract or 
comparable legal instrument in § 2.33(c) 
shall not apply. SAMHSA believes this 
general understanding of a contractor or 
subcontractor provides the necessary 
flexibility for these types of 
arrangements while still ensuring that 
all parties must adhere to requirements 
and protections specified in § 2.33(c). 


Public Comments 


One commenter requested that 
SAMHSA add a new § 2.33(d) to state 
that ‘‘if the contractor, subcontractor, or 
legal representative needs patient 
identifying information directly from 
the part 2 program, the contractor, 
subcontractor, or legal representative 
must produce a copy of the agreement 
mandated by § 2.33(c) prior to the part 
2 program releasing any information.” 


SAMHSA Response 


SAMHSA declines to require 
contractors, subcontractors, and legal 
representatives to produce a copy of the 
agreement mandated by § 2.33(c) prior 
to the part 2 program releasing any 
information because SAMHSA did not 
propose to do so in the SNPRM. The 
decision as to whether to share this 
information would be at the discretion 
of the contracting parties. 


Public Comments 


One commenter stated that proposed 
§ 2.33(b) should apply to all lawful 
holders (and not just those who received 
patient identifying information pursuant 
to a written consent), which would 
enable QSOs to disclose without 
consent to contractors and 
subcontractors. 


SAMHSA Response 


SAMHSA declines to eliminate the 
requirement that § 2.33(b) only applies 
to lawful holders that receive patient 
identifying information pursuant to a 
written consent. SAMHSA believes that 


the consent requirement for lawful 
holders that fall under § 2.33(b) must be 
maintained and that § 2.33(b) should not 
apply to QSOs. Further, SAMHSA 
guidance indicates that a QSOA does 
not permit a QSO to re-disclose 
information to a third party unless that 
third party is a contract agent of the 
QSO, helping them provide services 
described in the QSOA, and only as 
long as the agent only further discloses 
the information back to the QSO or to 
the part 2 program from which it came. 


GC. Audit and Evaluation (§ 2.53) 


SAMHSA recognizes that federal, 
state, and local governments often need 
to access all of the records, including 
part 2 program records, held by entities 
they regulate in order to appropriately 
evaluate compliance with applicable 
laws, rules, and policies. As a result, in 
the SNPRM, SAMHSA proposed 
regulatory changes to clarify that audits 
and evaluations may be performed on 
behalf of federal, state, and local 
governments providing financial 
assistance to, or regulating the activities 
of, lawful holders as well as part 2 
programs. SAMHSA recognizes that 
federal, state, and local governments 
often need to access all of the records, 
including part 2 program records, held 
by entities they regulate in order to 
appropriately evaluate compliance with 
applicable laws, rules, and policies. For 
example, an Accountable Care 
Organization (ACO) or similar CMS- 
regulated health care models may wish 
to evaluate the impact of integrated care 
on several participating behavioral 
health care programs’ quality of care, or 
a state may wish to do an audit to see 
how many individuals who leave state- 
supported correctional facilities 
subsequently receive substance use 
disorder treatment. In addition, 
SAMHSA proposed regulatory revisions 
to: Specify that audits and evaluations 
may be performed by contractors, 
subcontractors, or legal representatives 
on behalf of a third-party payers or a 
quality improvement organizations; and 
state that if disclosures are made under 
this section for a Medicare, Medicaid, or 
CHIP audit or evaluation, including a 
civil investigation or administrative 
remedy, further disclosures may be 
made to contractors, subcontractors, or 
legal representatives to carry out the 
audit or evaluation. SAMHSA is now 
finalizing these requirements. It has also 
made certain technical amendments to 
correct inadvertent omissions in the 
rule’s text to effectuate SAMHSA’s 
intent to permit disclosure and use of 
patient identifying information held by 
other lawful holders for audit and 
evaluation purposes, as well as to clarify 
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and operationalize the requirements of 
this section. 


Public Comments 


SAMHSA received a range of 
comments concerning the proposed 
amendments with regard to permitted 
disclosures of patient identifying 
information to contractors, 
subcontractors, and legal representatives 
for purposes of carrying out an audit or 
evaluation under part 2. SAMHSA 
received a number of comments 
supporting these revisions. Several of 
the commenters also expressed support 
specifically for the provision allowing 
patient identifying information to be 
disclosed for purposes of carrying out 
an audit or evaluation, with some citing 
proposed § 2.53(a)(1)(i) in particular. 
Some commenters stated this particular 
revision would allow lawful holders of 
patient identifying information to 
disclose that information to audit and 
oversight entities in order to respond to 
an audit or evaluation request, and that 
clear authority to disclose patient 
identifying information for audits 
(which may include quality 
improvement and program integrity) is 
critical to Medicaid program operations. 
Another commenter supported the 
proposed changes because they would 
appear to allow disclosure of patient 
identifying information to a government 
agency authorized to regulate the 
activities of any lawful holder, not just 
a part 2 program or private payer, and 
because this change would at least 
partially conform to HIPAA’s 
permissible disclosures to health system 
oversight agencies. The commenter, 
however, expressed concern that the 
proposed language did not make clear 
whether the government agency must 
obtain access to the records directly 
from the part 2 program rather than 
from the other lawful holder that the 
agency regulates, as obtaining records 
from the part 2 program posed 
communications challenges. 


SAMHSA Response 


SAMHSA appreciates the support for 
the further amendments as set out in the 
regulatory text of § 2.53. Inclusion of 
these additional provisions reflects that 
contractors, subcontractors and legal 
representatives are increasingly 
involved in audit and evaluation 
activities. SAMHSA recognizes that 
federal, state, and local governments 
often need to access all of the records, 
including part 2 program records, held 
by entities they regulate in order to 
appropriately evaluate compliance with 
applicable laws, rules, and policies. We 
believe including these changes will 
assist in compliance with part 2 and 


other federal, state, and local rules and 
regulations and improve part 2 program 
quality. 

With respect to the commenter’s 
concern, if a government agency is 
auditing or evaluating a lawful holder, 
which it regulates, the agency may 
receive the patient identifying 
information necessary for that audit or 
evaluation directly from the lawful 
holder. 


Public Comments 


SAMHSA also received a number of 
comments opposing the proposal to 
permit re-disclosure of patient 
identifying information without patient 
consent to contractors and 
subcontractors for audit and evaluation 
purposes unless SAMHSA provides 
additional safeguards. Several of these 
commenters noted that the proposed 
changes to § 2.53 have the potential to 
greatly expand the universe of 
individuals and entities who may 
receive protected substance use disorder 
information without patient consent for 
audit and evaluation purposes. 

A couple of commenters expressed 
concern that detailed patient records 
would be used for purposes of risk 
adjustment and reporting of the 
patient’s severity of illness to predict 
health care cost expenditures and adjust 
payer payments. One commenter stated 
that, if data are being used to impact a 
patient’s score or health coverage, 
patient consent should be required. 


SAMHSA Response 


SAMHSA appreciates the array of 
recommendations commenters provided 
for possible restrictions and safeguards. 
SAMHSA is contemplating future 
rulemaking for 42 CFR part 2, and will 
take these recommendations under 
advisement at that time. 

With regard to the suggestion that 
SAMHSA require patient consent if data 
could be used to affect a patient’s health 
coverage or health score, SAMHSA 
reiterates that under the terms of § 2.53, 
patient identifying information may 
only be used for audit and evaluation 
purposes. 


D. Other Public Comments on the 
SNPRM 


1. Extension of Part 2 Restrictions to 
Third Parties 


Public Comments 


Two commenters stated that changes 
made to the SNPRM were predicated on 
the concept that part 2 confidentiality 
restrictions extend beyond part 2 
programs to third parties, including 
lawful holders, contractors, 
subcontractors and legal representatives. 


These commenters, noting that no 
definitions exist in the regulatory text 
for ‘lawful holders,” ‘“‘contractors,’’ or 
“subcontractors,” or “legal 
representatives,” requested that 
SAMHSA address whether the part 2 
statute permits the extension of these 
restrictions beyond part 2 programs. 


SAMHSA Response 


The statute (42 U.S.C. 290dd—2) 
authorizes SAMHSA to promulgate 
regulations to effectuate the 
confidentiality provisions governing 
substance use disorder patient records. 
The part 2 rule’s applicability to third 
parties is a reasonable exercise of 
SAMHSA’s statutory authority to ensure 
protection of part 2 information in the 
possession of lawful holders other than 
part 2 programs. 


2. Greater Weight to Comments From 
Patient and Part 2 Program 


Public Comments 


SAMHSA received several comments 
requesting that greatest weight be given 
to comments from patients and 
consumers who will be directly affected 
by any changes to part 2; one of these 
commenters made this request because 
patients entering treatment will likely 
be unable to anticipate complex re- 
disclosure risks for activities proposed 
by the SNPRM. In addition, a 
commenter requested that special 
consideration be given to comments 
from substance use disorder treatment 
providers. 


SAMHSA Response 


Every comment received on the 
SNPRM was given careful 
consideration, and SAMHSA has 
endeavored in this final rule to take into 
account the varying perspectives of 
public commenters. SAMHSA is seeking 
a balance between ensuring that patients 
with substance use disorders have the 
ability to participate in, and benefit 
from, new and emerging health care 
models that promote integrated care and 
patient safety and ensuring the 
confidentiality of substance use disorder 
patient records, given the potential for 
discrimination, harm to reputations and 
relationships, and serious civil and 
criminal consequences that could result 
from impermissible disclosures. 


E. Regulatory Impact Analysis (RIA) 


In the SNPRM, SAMHSA stated that, 
if adopted, the proposed revisions 
should not result in any additional costs 
to part 2 programs. However, SAMHSA 
specifically sought comment on the 
implications of the proposed changes on 
the regulatory and financial impact, if 
any, of these proposed rules. 
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Public Comments 


SAMHSA did not receive any 
comments on costs related to specific 
proposals made in the SNPRM or the 
RIA. 


F. Requests for Public Comment 


In the January 18, 2017, SNPRM, 
SAMHSA made several requests for 
public comments based on its 
expectation that there may be future 42 
CFR part 2-related rulemaking. Those 
comments are summarized below. 


1. Conveying the Scope of the Written 
Consent 


In the SNPRM, SAMHSA sought 
comment on the proper mechanisms to 
convey the scope of the consent to 
lawful holders, contractors, 
subcontractors, and legal 
representatives, including those who are 
downstream recipients of patient 
identifying information given current 
electronic data exchange technical 
designs. 


Public Comments 


Commenters suggested that SAMHSA 
provide more clarity on these 
mechanisms, particularly given the 
current electronic exchange 
environment and recommended more 
specific ways to ensure patients retain 
control over how their information is 
disclosed. Another commenter asserted 
proposed consent requirements could be 
burdensome, and a third-party payer 
may be unable to assess part 2 program 
compliance with consent requirements. 


SAMHSA Response 


SAMHSA has modified language in 
§ 2.33(c) so as not to imply that the 
consent form must be provided to the 
recipient of part 2 records. Sections 
2.13, 2.31, and other sections of part 2 
require recipients of patient identifying 
information to have knowledge of 42 
CFR part 2 as it relates to the purpose 
for which information is being disclosed 
and can be re-disclosed lawfully. 
Individuals and entities that disclose or 
receive patient identifying information 
via patient consent must be able to 
comply with these requirements. 


2. Other Restrictions and Safeguards 


In the SNPRM, SAMHSA specifically 
sought comments regarding the 
establishment of appropriate restrictions 
and safeguards on lawful holders and 
their contractors, subcontractors, and 
legal representatives’ use and disclosure 
of patient identifying information for 
the purposes discussed in the SNPRM. 


a. General 


Public Comments 


SAMHSA received a number of 
responses to this request for comments 
regarding the establishment of 
appropriate restrictions and safeguards. 
These comments recommended a wide 
array of patient protections and 
safeguards. While some commenters 
noted there is a legitimate need for 
lawful holders to disclose protected 
information to their contractors, 
subcontractors, and legal representatives 
for payment and health care operations 
purposes, many commenters expressed 
concern that the breadth of the proposed 
changes may undermine core 
protections under part 2, which give 
substance use disorder patients control 
over how their information is disclosed 
so as not to make them more vulnerable 
to potential negative consequences of 
such disclosures. Loss of employment, 
loss of housing, loss of child custody, 
discrimination by medical professionals 
and insurers, and arrest, prosecution, 
and incarceration were cited as 
potential negative consequences. Most 
commenters stated concern over, or 
even their opposition to, SAMHSA 
finalizing proposed changes in the 
SNPRM without including certain 
additional protections. 


SAMHSA Response 


SAMHSA appreciates the array of 
recommendations commenters provided 
for possible restrictions and safeguards. 
SAMHSA believes that the existing 
restrictions and safeguards—including 
provisions limiting use of patient 
identifying information in criminal and 
civil procedures and requiring that any 
disclosure made under these regulations 
must be limited to that information 
which is necessary to carry out the 
purpose of the disclosure—are adequate. 


b. Commenter Recommendations for 
Anti-Discrimination Protections 


Many commenters recommended the 
addition of specific anti-discrimination 
protections that would apply to 
disclosures pursuant to the proposed 
§§ 2.33(b) and 2.53. Commenters 
expressed concern over the potential for 
misuse of information and a desire to 
balance the increased flexibility of 
proposed §§ 2.33 and 2.53 with 
increased protections. 


SAMHSA Response 


Promulgating rules that address 
discriminatory action is outside the 
scope of SAMHSA’s legal authority. 


c. Commenter Recommendations for 
Patient Notification on the Consent 
Form 


Public Comments 


Several commenters expressed 
concern that the proposed changes to 
§ 2.33 would greatly expand access to 
patient identifying information by 
individuals and entities to whom the 
patient did not specifically consent and 
for purposes not always evident to the 
patient. These commenters, and a 
number of others, requested that 
SAMHSA require, at a minimum, a 
notification to patients on the consent 
form that they are consenting to the 
disclosure of their patient identifying 
information to both the recipient and 
the recipient’s contractors, 
subcontractors, and legal representatives 
to the extent those contractors, 
subcontractors, and legal representatives 
need the information to carry out 
payment or health care operations 
purposes. 


SAMHSA’s Response 


SAMHSA is contemplating future 
rulemaking for 42 CFR part 2 and will 
take these recommendations under 
consideration at that time. In addition, 
consistent with the 21st Century Cures 
Act, prior to March 21, 2018, the 
Secretary of HHS will convene relevant 
stakeholders to determine the effects of 
42 CFR part 2 on patient care, health 
outcomes, and patient privacy. The 
information obtained at the meeting will 
help to inform the course of any further 
part 2 rule-making. SAMHSA will 
consider these comments on privacy 
and confidentiality in conjunction with 
those made during the stakeholder 
meeting. 


d. Commenter Recommendations for 
Mechanisms for Identifying and 
Sanctioning Unauthorized Disclosures 


Public Comments 


Several commenters recommended 
adding a requirement that lawful 
holders who wish to re-disclose patient 
identifying information to contractors, 
subcontractors, and legal representatives 
be subject to the same List of 
Disclosures requirements that apply to 
intermediaries who disclose patient 
identifying information pursuant to a 
general designation under the consent 
requirements at § 2.31. In addition, a 
couple of commenters requested that 
SAMHSA impose a List of Disclosures 
requirement on audit and evaluation 
agencies. One commenter requested that 
SAMHSA not finalize the proposed 
changes in the SNPRM without 
mechanisms in place to enable 
individuals who have been adversely 
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impacted to identify the source of a 
disclosure and initiate sanctions. 


SAMHSA Response 


SAMHSA appreciates the 
recommendations to add mechanisms to 
enable individuals who have been 
adversely impacted to identify the 
source of a disclosure, including adding 
a List of Disclosures requirement. 
SAMHSA is contemplating future 
rulemaking for 42 CFR part 2, and will 
take these recommendations under 
consideration. 


e. Other Commenter Recommendations 
for Additional Restrictions and 
Safeguards 


Public Comments 


SAMHSA also received comments 
recommending other types of 
protections and safeguards. One 
commenter recommended SAMHSA 
reinforce patients’ rights to file 
grievances and complaints and 
suggested that SAMHSA explore the 
ability to impose a confidentiality 
certificate on information disclosed to 
third parties similar to 42 U.S.C. 241(d), 
which protects the privacy of research 
subjects. A couple of commenters 
suggested strengthening patient 
protections by adding re-disclosure 
prohibitions in the statute similar to the 
confidentiality protections extended to 
certain veterans’ medical records, 
including substance use disorder patient 
records in Title 38. 

Another commenter stated that given 
stigma and risk of adverse impact, it was 
critical to have additional protections in 
place such as substantial penalties for 
disclosure violations and failure to 
maintain tracking of disclosures and 
mechanisms for an individual to 
identify and correct errors in an 
electronic health record and for 
identifying the source of the disclosed 
errors. This commenter stated that, 
because there is no clear mechanism to 
correct errors in records, it is critical 
that initial sharing of information be 
restricted until such mechanisms are 
developed. 

In addition, two commenters stated 
that the proposed audit and evaluation 
revisions could conflict with intended 
court order protections at §§ 2.64 
through 2.67 and requested SAMHSA 
clarify the necessity to obtain court 
orders in such investigations and 
prosecutions as a result of a Medicare, 
Medicaid, or CHIP audit or evaluation. 


SAMHSA Response 


SAMHSA appreciates the 
recommendations for identifying the 
source of a disclosure under § 2.33, and 
strengthening language regarding a 


patient’s right to file a grievance. 
SAMHSA is contemplating future 
rulemaking for 42 CFR part 2, and will 
take these recommendations under 
advisement at that time. 

In addition, SAMHSA does not have 
the authority to make statutory 
revisions, so SAMHSA cannot add re- 
disclosure prohibitions to the 
authorizing statute. With regard to the 
comment regarding the imposition of 
substantial penalties, the part 2 
regulations already include provisions 
to implement the statutory criminal 
penalties for violations. Further, 
SAMHSA does not have the authority to 
require a mechanism for making 
corrections in an electronic health 
record. 

SAMSHA believes that permitting 
contractors, subcontractors, and legal 
representatives to obtain information for 
audit and evaluation purposes does not 
contradict or undermine protections 
currently within §§ 2.64 through 2.67. 
For instance, § 2.53 provides that the 
audit and evaluation provisions ‘“‘do not 
authorize the part 2 program, the 
federal, state, or local government 
agency, or any other individual or entity 
to disclose or use patient identifying 
information obtained during the audit or 
evaluation for any purposes other than 
those necessary to complete the audit or 
evaluation.” Similarly, § 2.53(d) 
explicitly states that, except as 
provided, ‘‘patient identifying 
information disclosed under this section 
may be disclosed only back to the part 
2 program or other lawful holder from 
which it was obtained and may be used 
only to carry out an audit or evaluation 
purpose or to investigate or prosecute 
criminal or other activities, as 
authorized by a court order entered 
under § 2.66.” 


3. Impact on Privacy and Confidentiality 
and Part 2 Goals 


SAMHSA specifically sought 
comment on the implications of the 
proposed revisions on the privacy and 
confidentiality of substance use disorder 
patient records and the overall goals of 
42 GFR part 2. 


Public Comment 


SAMHSA received several comments 
that addressed this request, some of 
which were general in nature, while 
others were specific to proposed 
revisions in either § 2.32 or in § 2.33. All 
commenters expressed support for 
preserving patients’ confidentiality. One 
commenter expressed general concerns 
about parties trying to alter federal 
confidentiality protections in a manner 
that will not benefit patients. These 
concerns included prospective patients 


avoiding seeking treatment over fears 
that the proposed broader dissemination 
of their treatment information may lead 
to that information becoming known by 
friends, family, employers, insurers, and 
other providers of medical services. 
Commenters expressed concern 
regarding the privacy and 
confidentiality impact of the SNPRM 
changes to §§ 2.32 and 2.33. These 
commenters asserted that: (1) The 
changes would, over time, result in 
gradual disclosure of part 2 data as a 
result of failing to communicate through 
the notice the importance of avoiding 
improper re-disclosures; (2) substance 
use disorder patients would not likely 
agree to the broad use of their personal 
information for activities that they do 
not understand or are perhaps incapable 
of refusing (e.g., incompetent); and (3) 
terms such as “‘health care operations” 
and ‘‘quality improvement” are too 
general, allowing activities that have 
few limits or boundaries. A couple of 
commenters stated that the proposed 
changes would result in patients 
attempting to exclude their records from 
research and quality improvement 
systems or avoiding lifesaving treatment 
services. In addition, one commenter 
expressed concern that SAMHSA may 
have unintentionally abrogated its 
responsibility to protect vulnerable 
patients. 


SAMHSA Response 


As stated previously, this final rule 
builds on efforts in the January 18, 2017, 
42 CFR part 2 final rule (82 FR 6052) to 
better reflect changes in the health care 
system, such as the increasing use of 
electronic health records, and drive 
toward greater integration of physical 
and behavioral health care. Despite 
efforts to enhance integration, SAMHSA 
remains committed to protecting the 
confidentiality of patient records. This 
rule updates 42 CFR part 2 to balance 
these important needs. However, as an 
added protection and consistent with 
the 21st Century Cures Act, prior to 
March 21, 2018, the Secretary of HHS 
will convene relevant stakeholders to 
determine the effects of 42 CFR part 2 
on patient care, health outcomes, and 
patient privacy. The information 
obtained at the meeting will help to 
inform the course of any further part 2 
rule-making, and SAMHSA will 
consider these comments on privacy 
and confidentiality in conjunction with 
those made during the stakeholder 
meeting. 
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III. Rulemaking Analysis 


Regulatory Impact Analysis (RIA) 


In this final rule, SAMHSA finalizes 
certain revisions to 42 CFR part 2 as 
follows: Prohibition on re-disclosure 
(§ 2.32); the disclosures permitted with 
written consent (§ 2.33), including the 
payment and health care operations 
activities for which lawful holders may 
disclose patient identifying information 
to their contractors, subcontractors, and 
legal representatives. In addition, 
SAMHSA clarifies that the audit and 
evaluation provision (§ 2.53) permits 
certain disclosures to contractors, 
subcontractors, and legal representatives 
for purposes of carrying out an audit or 
evaluation, and that audits and 
evaluations may be performed on behalf 
of federal, state, and local governments 
providing financial assistance to or 
regulating the activities of lawful 
holders of patient identifying 
information as well as part 2 programs. 

Notably, SAMHSA explicitly sought 
comment on costs and benefits of its 
proposed changes. Of the 55 public 
comments received on the proposed 
rule, none substantively focused on cost 
or burden issues. Public comments 
support SAMHSA’s view in this final 
rule that these modifications will 
enhance information-sharing and 
efficiency of such payment and health 
care operations as claims processing, 
business management, training, and 
customer service and facilitate audit and 
evaluation activities. Further, SAMHSA 
believes that the re-disclosure 
provisions will make it easier for some 
part 2 programs and other lawful 
holders to use electronic health systems. 

The January 18, 2017, final rule noted 
that in “the absence of data and studies 
specifically focused on compliance with 
42 CFR part 2, SAMHSA has estimated 
these costs based on a range of 
published costs associated with HIPAA 
implementation and compliance.” 
SAMHSA notes that the HIPAA 
Omnibus Final Rule (78 FR 5566, Jan. 
25, 2013) similarly provided a transition 
period for covered entities to 
incorporate new provisions into 
agreements between business associates 
and covered entities (up to 20 months 
after publication of the final rule for 
some agreements, provided certain 
conditions were met) and anticipated 
that there would be little added cost as 
these contracts would already be 
required. SAMHSA believes that the 
cost of updating agreements among part 
2 programs and other lawful holders to 
reflect the provisions adopted in this 
final rule would be negligible. In order 
to provide entities with maximum 
flexibility reflecting their unique 


contractual arrangements, contracts may 
include statements about required 
compliance with 42 CFR part 2; 
however, no specific language beyond 
this concept is required by the rule. This 
tule provides up to two years from the 
effective date to comply with this 
section. Because part 2 programs and 
other lawful holders can modify their 
contracts during the normal 
renegotiation of contracts as existing 
contracts expire or, if such contracts are 
not regularly updated, can make such 
changes up to two years from this final 
tule’s effective date, new regulatory 
language required by § 2.33(c), as 
revised, should impose a minimal 
burden. 

SAMHSA similarly believes that the 
abbreviated notice of the prohibition on 
re-disclosure adopted in this final rule 
provides additional options to part 2 
entities that will facilitate adoption of 
electronic health records and reduce 
regulatory burdens. Entities not wishing 
to use the abbreviated notice may use 
the standard prohibition on re- 
disclosure notice. As the revised notice 
has limited characters, SAMHSA 
believes that it can be more readily used 
with existing electronic health record 
systems. 

Under the Paperwork Reduction Act 
of 1995 (PRA), agencies are required to 
provide a 60-day notice in the Federal 
Register and solicit public comment 
before a collection of information 
requirement is submitted to the Office of 
Management and Budget (OMB) for 
review and approval. PRA issues were 
discussed in the SNPRM. SAMHSA 
stated that it anticipated no substantive 
changes in PRA requirements should 
changes proposed in the SNPRM be 
adopted. SAMHSA received no public 
comment on our assumptions as they 
relate to the PRA requirements. 
SAMHSA continues to believe that the 
final rule imposes no new PRA burdens. 

SAMHSA has examined the impact of 
this final rule under Executive Order 
12866 on Regulatory Planning and 
Review (September 30, 1993), Executive 
Order 13771 on Reducing Regulation 
and Controlling Regulatory Costs 
(January 30, 2017), Executive Order 
13563 on Improving Regulation and 
Regulatory Review (January 18, 2011), 
the Regulatory Flexibility Act of 1980 
(Pub. L. 96-354, September 19, 1980), 
the Unfunded Mandates Reform Act of 
1995 (Pub. L. 104—4, March 22, 1995), 
and Executive Order 13132 on 
Federalism (August 4, 1999). 

Executive Order 12866 directs 
agencies to assess all costs and benefits 
of available regulatory alternatives and, 
if regulation is necessary, to select 
regulatory approaches that maximize 


net benefits (including potential 
economic, environmental, public health, 
and safety effects; distributive impacts; 
and equity). Executive Order 13563 is 
supplemental to, and reaffirms the 
principles, structures, and definitions 
governing regulatory review, as 
established in Executive Order 12866. 
Executive Order 13771 requires that the 
costs associated with significant new 
regulations ‘‘shall, to the extent 
permitted by law, be offset by the 
elimination of existing costs associated 
with at least two prior regulations.” The 
changes finalized in this rule will not 
have an annual effect on the economy 
of $100 million or more in at least one 
year. Therefore, this final rule is not an 
economically significant regulatory 
action as defined by Executive Order 
12866, or a significant regulation under 
Executive Order 13771. The Regulatory 
Flexibility Act (RFA) requires agencies 
that issue a regulation to analyze 
options for regulatory relief of small 
businesses if a rule has a significant 
impact on a substantial number of small 
entities. The RFA generally defines a 
“small entity” as (1) a proprietary firm 
meeting the size standards of the Small 
Business Administration; (2) a nonprofit 
organization that is not dominant in its 
field; or (3) a small government 
jurisdiction with a population of less 
than 50,000. (States and individuals are 
not included in the definition of “small 
entity’). For similar rules, HHS 
considers a rule to have a significant 
economic impact on a substantial 
number of small entities if at least five 
percent of small entities experience an 
impact of more than three percent of 
revenue. This final rule will not have a 
significant economic impact ona 
substantial number of small entities. 

Section 202(a) of the Unfunded 
Mandates Reform Act of 1995 requires 
that agencies prepare a written 
statement, which includes an 
assessment of anticipated costs and 
benefits, before proposing “any rule that 
includes any Federal mandate that may 
result in the expenditure by State, local, 
and tribal governments, in the aggregate, 
or by the private sector, of $100,000,000 
or more (adjusted annually for inflation) 
in any one year.” This final rule does 
not trigger the Unfunded Mandates 
Reform Act, because it will not result in 
expenditures of this magnitude by states 
or other government entities. 


IV. Provisions of Technical 
Amendments 


This section contains corrections to 
the final regulations published in the 
Federal Register on January 18, 2017 
(82 FR 6988). The word “‘manage’’ was 
inadvertently omitted from the 
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regulation text at § 2.15 concerning 
incompetent and deceased patients. It 
should read ‘‘to manage their own 
affairs” rather than “‘to their own 
affairs.’ A typographical error and 
reference in the regulation to 
“paragraph (a)(8)”’ should have instead 
read “paragraph (a)(6)’’ in the text of the 
regulations at § 2.35 concerning 
disclosures to elements of the criminal 
justice system which have referred 
patients. As a result, we are making 
technical corrections in 42 CFR part 2 
at §§ 2.15 and 2.35. 

Section 553 of the Administrative 
Procedure Act, 5 U.S.C. 553(b)(3)(B), 
provides that, when an agency for good 
cause finds that notice and public 
procedure are impracticable, 
unnecessary, or contrary to the public 
interest, the agency may issue a rule 
without providing notice and an 
opportunity for public comment. We 
have determined that there is good 
cause for making these technical 
corrections final without prior notice 
and opportunity for comment because 
the changes address minor 
typographical errors, misprints, or 
omissions, which are noncontroversial 
and do not substantively change the 
requirements of the rule. Furthermore, 
the minor corrections do not impose any 
additional obligations on any party. 
Thus, notice and public comment is 
impracticable, unnecessary, or contrary 
to the public interest. 


Conclusion 


SAMHSA is finalizing changes to 
clarify the payment and health care 
operations activities for which lawful 
holders may disclose patient identifying 
information to their contractors, 
subcontractors, and legal 
representatives. In addition, SAMHSA 
clarifies that the audit and evaluation 
provision permits certain disclosures to 
contractors, subcontractors, and legal 
representatives for purposes of carrying 
out an audit or evaluation under § 2.53. 
SAMHSA is finalizing changes to clarify 
that audits and evaluations may be 
performed on behalf of federal, state and 
local governments providing financial 
assistance to, or regulating the activities 
of lawful holders, as well as part 2 
programs. The final rule also includes 
an abbreviated notice of the prohibition 
on re-disclosure. Finally, SAMHSA is 
making minor technical corrections to 
select provisions of the 42 CFR part 2 
final rule published in the Federal 
Register on January 18, 2017. 


List of Subjects in 42 CFR Part 2 


Alcohol abuse, Alcoholism, Drug 
abuse, Grant programs—health, Health 


records, Privacy, Reporting, and 
Recordkeeping requirements. 

For the reasons stated in the preamble 
of this final rule, 42 CFR part 2 is 
amended as follows: 


PART 2—CONFIDENTIALITY OF 
SUBSTANCE USE DISORDER 
PATIENT RECORDS 


m 1. The authority citation for part 2 
continues to read as follows: 


Authority: 42 U.S.C. 290dd-2. 


§2.15 [Amended] 


mw 2. Amend § 2.15(a)(1) by removing the 
phrase ‘“‘to their own affairs’ and adding 
in its place the phrase “to manage their 
own affairs”. 


mw 3. Revise § 2.32 to read as follows: 


§2.32 Prohibition on re-disclosure. 

(a) Notice to accompany disclosure. 
Each disclosure made with the patient’s 
written consent must be accompanied 
by one of the following written 
statements: 

(1) This information has been 
disclosed to you from records protected 
by federal confidentiality rules (42 CFR 
part 2). The federal rules prohibit you 
from making any further disclosure of 
information in this record that identifies 
a patient as having or having had a 
substance use disorder either directly, 
by reference to publicly available 
information, or through verification of 
such identification by another person 
unless further disclosure is expressly 
permitted by the written consent of the 
individual whose information is being 
disclosed or as otherwise permitted by 
42 CFR part 2. A general authorization 
for the release of medical or other 
information is NOT sufficient for this 
purpose (see § 2.31). The federal rules 
restrict any use of the information to 
investigate or prosecute with regard to 
a crime any patient with a substance use 
disorder, except as provided at 
§§ 2.12(c)(5) and 2.65; or 

(2) 42 CFR part 2 prohibits 
unauthorized disclosure of these 
records. 

(b) [Reserved] 


mw 4. Revise § 2.33 to read as follows: 


§ 2.33 Disclosures permitted with written 
consent. 

(a) If a patient consents to a disclosure 
of their records under § 2.31, a part 2 
program may disclose those records in 
accordance with that consent to any 
person or category of persons identified 
or generally designated in the consent, 
except that disclosures to central 
registries and in connection with 
criminal justice referrals must meet the 
requirements of §§ 2.34 and 2.35, 
respectively. 


(b) If a patient consents to a disclosure 
of their records under § 2.31 for 
payment and/or health care operations 
activities, a lawful holder who receives 
such records under the terms of the 
written consent may further disclose 
those records as may be necessary for its 
contractors, subcontractors, or legal 
representatives to carry out payment 
and/or health care operations on behalf 
of such lawful holder. Disclosures to 
contractors, subcontractors, and legal 
representatives to carry out other 
purposes such as substance use disorder 
patient diagnosis, treatment, or referral 
for treatment are not permitted under 
this section. In accordance with 
§ 2.13(a), disclosures under this section 
must be limited to that information 
which is necessary to carry out the 
stated purpose of the disclosure. 

(c) Lawful holders who wish to 
disclose patient identifying information 
pursuant to paragraph (b) of this section 
must have in place a written contract or 
comparable legal instrument with the 
contractor or voluntary legal 
representative, which provides that the 
contractor, subcontractor, or voluntary 
legal representative is fully bound by 
the provisions of part 2 upon receipt of 
the patient identifying information. In 
making any such disclosures, the lawful 
holder must furnish such recipients 
with the notice required under § 2.32; 
require such recipients to implement 
appropriate safeguards to prevent 
unauthorized uses and disclosures; and 
require such recipients to report any 
unauthorized uses, disclosures, or 
breaches of patient identifying 
information to the lawful holder. The 
lawful holder may only disclose 
information to the contractor or 
subcontractor or voluntary legal 
representative that is necessary for the 
contractor or subcontractor or voluntary 
legal representative to perform its duties 
under the contract or comparable legal 
instrument. Contracts may not permit a 
contractor or subcontractor or voluntary 
legal representative to re-disclose 
information to a third party unless that 
third party is a contract agent of the 
contractor or subcontractor, helping 
them provide services described in the 
contract, and only as long as the agent 
only further discloses the information 
back to the contractor or lawful holder 
from which the information originated. 
m5. Amend § 2.35 by revising paragraph 
(a)(2) as follows: 


§2.35 Disclosure to elements of the 
criminal justice system which have referred 
patients. 

(a) * Kk O* 

(2) The patient has signed a written 
consent meeting the requirements of 
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§ 2.31 (except paragraph (a)(6) of this 
section which is inconsistent with the 
revocation provisions of paragraph (c) of 
this section) and the requirements of 
paragraphs (b) and (c) of this section. 
m6. Amend § 2.53 by: 
ma. Revising paragraphs (a) 
introductory text, (a)(1)(i) and (ii), (a)(2). 
am b. Revising paragraphs (b) 
introductory text, (b)(2)(i) and (ii). 
mc. Revising paragraph (c)(5). 
m d. Revising paragraph (d). 

The revisions and addition read as 
follows: 


§ 2.53 Audit and evaluation. 

(a) Records not copied or removed. If 
patient records are not downloaded, 
copied or removed from the premises of 
a part 2 program or other lawful holder, 
or forwarded electronically to another 
electronic system or device, patient 
identifying information, as defined in 
§ 2.11, may be disclosed in the course of 
a review of records on the premises of 
a part 2 program or other lawful holder 
to any individual or entity who agrees 
in writing to comply with the 
limitations on re-disclosure and use in 
paragraph (d) of this section and who: 

1 kK OK 

(i) Any federal, state, or local 
governmental agency that provides 
financial assistance to a part 2 program 
or other lawful holder, or is authorized 
by law to regulate the activities of the 
part 2 program or other lawful holder; 

(ii) Any individual or entity which 
provides financial assistance to the part 
2 program or other lawful holder, which 
is a third-party payer covering patients 
in the part 2 program, or which is a 
quality improvement organization 
performing a utilization or quality 
control review, or such individual’s or 
entity’s or quality improvement 
organization’s contractors, 
subcontractors, or legal representatives. 

(2) Is determined by the part 2 
program or other lawful holder to be 
qualified to conduct an audit or 
evaluation of the part 2 program or other 
lawful holder. 

(b) Copying, removing, downloading, 
or forwarding patient records. Records 
containing patient identifying 
information, as defined in § 2.11, may 
be copied or removed from the premises 
of a part 2 program or other lawful 
holder or downloaded or forwarded to 
another electronic system or device 
from the part 2 program’s or other 
lawful holder’s electronic records by 
any individual or entity who: 

(2) xk Kk O* 

(i) Any federal, state, or local 
governmental agency that provides 
financial assistance to the part 2 
program or other lawful holder, or is 


authorized by law to regulate the 
activities of the part 2 program or other 
lawful holder; or 

(ii) Any individual or entity which 
provides financial assistance to the part 
2 program or other lawful holder, which 
is a third-party payer covering patients 
in the part 2 program, or which is a 
quality improvement organization 
performing a utilization or quality 
control review, or such individual’s or 
entity’s or quality improvement 
organization’s contractors, 
subcontractors, or legal representatives. 
* * * * * 


(c) * x O* 


(5) Ifa disclosure to an individual or 
entity is authorized under this section 
for a Medicare, Medicaid, or CHIP audit 
or evaluation, including a civil 
investigation or administrative remedy, 
as those terms are used in paragraph 
(c)(2) of this section, the individual or 
entity may further disclose the patient 
identifying information that is received 
for such purposes to its contractor(s), 
subcontractor(s), or legal 
representative(s), to carry out the audit 
or evaluation, and a quality 
improvement organization which 
obtains such information under 
paragraph (a) or (b) of this section may 
disclose the information to that 
individual or entity (or, to such 
individual’s or entity’s contractors, 
subcontractors, or legal representatives, 
but only for the purposes of this 
section). 

* * * * * 


(d) Limitations on disclosure and use. 
Except as provided in paragraph (c) of 
this section, patient identifying 
information disclosed under this section 
may be disclosed only back to the part 
2 program or other lawful holder from 
which it was obtained and may be used 
only to carry out an audit or evaluation 
purpose or to investigate or prosecute 
criminal or other activities, as 
authorized by a court order entered 
under § 2.66. 


* * * * * 


Dated: December 19, 2017. 
Elinore F. McCance-Katz 


Assistant Secretary for Mental Health and 
Substance Use. 


Approved: December 20, 2017. 
Eric D. Hargan, 


Acting Secretary, Department of Health and 
Human Services. 


[FR Doc. 2017-28400 Filed 1—2—18; 8:45 am] 
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SUMMARY: This rule identifies 
communities where the sale of flood 
insurance has been authorized under 
the National Flood Insurance Program 
(NFIP) that are scheduled for 
suspension on the effective dates listed 
within this rule because of 
noncompliance with the floodplain 
management requirements of the 
program. If the Federal Emergency 
Management Agency (FEMA) receives 
documentation that the community has 
adopted the required floodplain 
management measures prior to the 
effective suspension date given in this 
rule, the suspension will not occur and 
a notice of this will be provided by 
publication in the Federal Register on a 
subsequent date. Also, information 
identifying the current participation 
status of a community can be obtained 
from FEMA’s Community Status Book 
(CSB). The CSB is available at https:// 
www.fema.gov/national-flood- 
insurance-program-community-status- 
book. 


DATES: The effective date of each 
community’s scheduled suspension is 
the third date (‘‘Susp.’’) listed in the 
third column of the following tables. 


FOR FURTHER INFORMATION CONTACT: If 
you want to determine whether a 
particular community was suspended 
on the suspension date or for further 
information, contact Adrienne L. 
Sheldon, PE, CFM, Federal Insurance 
and Mitigation Administration, Federal 
Emergency Management Agency, 400 C 
Street SW, Washington, DC 20472, (202) 
212-3966. 


SUPPLEMENTARY INFORMATION: The NFIP 
enables property owners to purchase 
Federal flood insurance that is not 
otherwise generally available from 
private insurers. In return, communities 
agree to adopt and administer local 
floodplain management measures aimed 
at protecting lives and new construction 
from future flooding. Section 1315 of 
the National Flood Insurance Act of 
1968, as amended, 42 U.S.C. 4022, 
prohibits the sale of NFIP flood 


